<HTML>
<BODY BGCOLOR="#FFFFFF">
<center><FONT SIZE=5>Testing a router or firewall</FONT></center>
<BR>

<BR><H1>Introduction</H1>
The life of a router is punctuated by several
important steps :
<UL>
	<LI>configuration
	<LI>securing
	<LI>problem resolution
	<LI>rules' modifications
	<LI>replacement by a new router
</UL>
In each case, network tests are needed to validate administrator's
choices. For example :
<UL>
	<LI>verify the router is
	working as expected
	<LI>verify an intruder
	cannot reach a given IP address or a forbidden port
	<LI>solving a network
	problem to verify why an application isn't functioning
	<LI>verify the validity
	of new rules
	<LI>simulate a testing
	network to help configuring a new network device
</UL>
The aim of this article is to present a method for
testing routers and firewalls. In this document, we only use the term
&quot;router&quot;, but the described method can also be applied to
stateful inspection firewalls, packet filtering firewalls, proxy
firewalls, etc.

<BR><H1>Basic idea</H1>
The basic idea about tests is to send a packet on one side of the
router.<BR>
Then, on the other side :
<UL>
	<LI>if this packet is
	allowed, verify its arrival
	<LI>if this packet is
	evil (deny, drop), verify nothing is forwarded
	<LI>if this packet is
	blocked (reject), verify nothing is forwarded and an ICMP error
	message is sent back to sender (there is a rate limiting for ICMP)
</UL>

<BR><H1>Method</H1>
We do not present a generic high level method. Indeed, every
network administrator has its own way to setup a device or to solve a
problem.<BR>
We emphasis on the low level method by presenting key points,
which can be linked together in order to construct the high level
method of every person.
The key points are :
<UL>
	<LI>How to send a packet ?
	<LI>How to verify the arrival of a packet ?
	<LI>How to simulate a testing computer ?
</UL>
Using only these 3 key points, an administrator can test a
network.

<BR><H1>Tool used</H1>
In order to illustrate examples, the free network testing tool
netwox is used. Netwox is available at :<BR>
 <A HREF="http://ntwox.sourceforge.net/">http://ntwox.sourceforge.net/</A><BR>
<BR>

Other tools or network
libraries (tcpdump, snoop, ipsend, netcat, telnet, libnet, libpcap,
etc.) can also be used, but netwox incorporates
all we need in one program.

<BR><H1>How to send a packet ?</H1>
Well, it depends on
protocols supported by our network. For example, in this paper, we
focus on IP over Ethernet, and ICMP/UDP/TCP.

<H3>Which kind of packets to send ?</H3>
The kind of sent packets
depends on several factors :
<UL>
	<LI>Do we want to check
	an allowed, or a forbidden flow ?<BR>In the first case, we send a
	valid packet.<BR>In the second case, we send an invalid or forbidden
	packet.
	<LI>Does the router is
	in a testing platform or in its real place ?<BR>In the second case,
	it might be dangerous to send invalid packets.
	<LI>Does the sender and
	destination computers are available, or need to be simulated ?<BR>In
	the first case, we spoof at IP level.<BR>In the second case, we have
	to spoof at Ethernet level.
	<LI>Etc.
</UL>
<BR>

<H3>What's the difference between IP level and Ethernet level ?</H3>
When a packet is sent at IP level, the local IP stack :
<UL>
	<LI>set the source
	Ethernet address to the MAC address of the network board
	<LI>gets the Ethernet
	address of the router by sending an ARP request (or by looking in
	its local ARP cache)
</UL>
So, the user doesn't have
to bother with Ethernet. However, this method doesn't allow to do
tricky stuff with Ethernet, and sometimes with IP itself because the
sender IP stack rejects the packet.
<BR>

When a packet is sent at
Ethernet level, it is directly sent on the network without going
through the IP stack. It is more complicated because the user has to
set Ethernet addresses, but can allow to do tricky things. To obtain
the Ethernet address of a computer on the LAN, use &quot;netwox 3&quot;
:
<PRE>
# netwox 3 192.168.10.2
  IP address:  192.168.10.2
  Hostname:    computer2
  Hostnames:   computer2,computer2.example.com
  Eth address: 00:40:95:46:11:23
</PRE>
Don't forget that the destination
Ethernet address has to be set to :
<UL>
	<LI>the Ethernet address
	of the router, if the destination IP address is not on the LAN
	<LI>the Ethernet address
	of the destination IP address otherwise
</UL>
<BR>

<H3>How to send an ICMP packet at IP level ?</H3>
We can use &quot;netwox 41&quot; :
<PRE>
# netwox 41 --ip4-src "192.168.10.1" --ip4-dst "192.168.11.3" --icmp-type "8" \
  --icmp-code "0" --icmp-data "12345678 'my data'"
IP______________________________________________________________________.
|version |  ihl   |       tos       |              totlen               |
|___4____|___5____|_____0x00=0______|_____________0x0023=35_____________|
|                id                 |  DfMf          offsetfrag         |
|___________0x3DB4=15796____________|0_0_0____________0x0000=0__________|
|       ttl       |    protocol     |             checksum              |
|_____0x00=0______|_____0x01=1______|______________0xE6D1_______________|
|                                source                                 |
|_____________________________192.168.10.1______________________________|
|                              destination                              |
|_____________________________192.168.11.3______________________________|
ICMP4_echo request______________________________________________________.
|      type       |      code       |             checksum              |
|_____0x08=8______|_____0x00=0______|___________0x3F01=16129____________|
12 34 56 78  6d 79 20 64  61 74 61                     # .4Vxmy data
</PRE>

To obtain help about parameters, just enter &quot;netwox 41 --help&quot;

<H3 >How to send an ICMP packet at Ethernet level ?</H3>
We can use &quot;netwox 37&quot; :
<PRE>
# netwox 37 --device Eth0 --eth-src 00:40:33:E0:2C:42 --eth-dst 00:40:95:46:41:BC \
  --ip4-src "192.168.10.1" --ip4-dst "192.168.11.3" --icmp-type "8" --icmp-code "0" \
  --icmp-data "12345678 'my data'"
Ethernet________________________________________________________________.
| 00:40:33:E0:2C:42->00:40:95:46:41:BC type:0x0800                      |
|_______________________________________________________________________|
IP______________________________________________________________________.
|version |  ihl   |       tos       |              totlen               |
|___4____|___5____|_____0x00=0______|_____________0x0023=35_____________|
|                id                 |  DfMf          offsetfrag         |
|___________0xCCE7=52455____________|0_0_0____________0x0000=0__________|
|       ttl       |    protocol     |             checksum              |
|_____0x00=0______|_____0x01=1______|______________0x579E_______________|
|                                source                                 |
|_____________________________192.168.10.1______________________________|
|                              destination                              |
|_____________________________192.168.11.3______________________________|
ICMP4_echo request______________________________________________________.
|      type       |      code       |             checksum              |
|_____0x08=8______|_____0x00=0______|___________0x3F01=16129____________|
12 34 56 78  6d 79 20 64  61 74 61                     # .4Vxmy data
</PRE>

Following command is equivalent, but is less easy to understand.
<PRE>
# netwox 37 -d Eth0 -a 00:40:33:E0:2C:42 -b 00:40:95:46:41:BC -l 192.168.10.1 \
  -m 192.168.11.3 -o 8 -p 0 -q "12345678 'my data'"
</PRE>

<H3 >How to send an UDP packet at Ethernet level ?</H3>
We can use &quot;netwox 35&quot; :
<PRE>
# netwox 35 -d "Eth0" -a "1:2:3:4:5:6" -b "7:8:9:a:b:c" -l "1.2.3.4" \
  -m "5.6.7.8" -o "1234" -p "53"
Ethernet________________________________________________________________.
| 01:02:03:04:05:06->07:08:09:0A:0B:0C type:0x0800                      |
|_______________________________________________________________________|
IP______________________________________________________________________.
|version |  ihl   |       tos       |              totlen               |
|___4____|___5____|_____0x00=0______|_____________0x001C=28_____________|
|                id                 |  DfMf          offsetfrag         |
|___________0x95D5=38357____________|0_0_0____________0x0000=0__________|
|       ttl       |    protocol     |             checksum              |
|_____0x00=0______|_____0x11=17_____|______________0x14E9_______________|
|                                source                                 |
|________________________________1.2.3.4________________________________|
|                              destination                              |
|________________________________5.6.7.8________________________________|
UDP_____________________________________________________________________.
|            source port            |         destination port          |
|____________0x04D2=1234____________|_____________0x0035=53_____________|
|              length               |             checksum              |
|_____________0x0008=8______________|___________0xEAC3=60099____________|
</PRE>

Now you are familiar with netwox, do not hesitate to use netwag :<BR>
 - run netwag<BR>
 - click on Search notebook<BR>
 - at the right, there is "[*] show all [ ] search [.....]"<BR>
 - in [.....], enter "udp"<BR>
 - the list of tool will shrink<BR>
 - select line "35 : Spoof EthernetIp4Udp"<BR>
 - click on Run notebook<BR>
 - click on Form sub-notebook<BR>
 - enter values<BR>
 - press on Generate (or "Run it")<BR>
 - press on Run (or "Run it")<BR>

<H3 >How to send a TCP packet at Ethernet level ?</H3>
We can use &quot;netwox 36&quot; :
<pre>
# netwox 36 -d "Eth0" -a "1:2:3:4:5:6" -b "7:8:9:a:b:c" -l "1.2.3.4" \
  -m "5.6.7.8" -p "80" -C
Ethernet________________________________________________________________.
| 01:02:03:04:05:06->07:08:09:0A:0B:0C type:0x0800                      |
|_______________________________________________________________________|
IP______________________________________________________________________.
|version |  ihl   |       tos       |              totlen               |
|___4____|___5____|_____0x00=0______|_____________0x0028=40_____________|
|                id                 |  DfMf          offsetfrag         |
|___________0xAB70=43888____________|0_0_0____________0x0000=0__________|
|       ttl       |    protocol     |             checksum              |
|_____0x00=0______|_____0x06=6______|______________0xFF4C_______________|
|                                source                                 |
|________________________________1.2.3.4________________________________|
|                              destination                              |
|________________________________5.6.7.8________________________________|
TCP_____________________________________________________________________.
|            source port            |         destination port          |
|____________0x04D2=1234____________|_____________0x0050=80_____________|
|                                seqnum                                 |
|_________________________0x512355F1=1361270257_________________________|
|                                acknum                                 |
|_____________________________0x00000000=0______________________________|
|  doff  |reserved CwEcUrAc PsRsSyFi|              window               |
|___5____|0_0_0_0__0_0_0_0__0_0_1_0_|_____________0x0000=0______________|
|             checksum              |              urgptr               |
|___________0xF398=62360____________|_____________0x0000=0______________|
</pre>

<BR><H1>How to verify the arrival of a packet ?</H1>
To check if a packet arrives on a network, we have
to use a sniffer.
We might however encounter problems :
<UL>
	<LI>if the sniffer is on
	the destination computer, everything should be fine
	<LI>if the sniffer is on
	the way to the destination computer (on a crossed router),
	everything should be fine
	<LI>if the sniffer is on
	the same LAN than the destination computer (or if the sniffer is on
	a crossed LAN) :
   <ul>
	<LI>   if the LAN isn't
	switched, everything should be fine
	<LI>   else, we have to
	connect the sniffer on a dedicated port of the switch (or saturate
	the switch)
    </ul>
	<LI>else, there is no
	way to see the packet
</UL>
<BR>

To display packets &quot;netwox 7&quot; can be used
:
<pre>
# netwox 7
 ETH_____________________________________________________________________.
 | 00:40:33:e0:c2:24 vers 00:40:95:46:14:cb         type : 0x0800        |
 |_______________________________________________________________________|
 IP______________________________________________________________________.
 |version |  ihl   |       tos       |              totlen               |
 |___ 4___|___ 5___|_______  0_______|____________0054h=   84____________|
 |                id                 |xxDfMf         fragoffset          |
 |____________0052h=   82____________|0_0_0__________0000h=    0_________|
 |       ttl       |    protocol     |          header checksum          |
 |_____40h= 64_____|_____01h=  1_____|_______________E502h_______________|
 |                                source                                 |
 |______________________________192.168.10.1_____________________________|
 |                              destination                              |
 |______________________________192.168.10.3_____________________________|
 ICMP____________________________________________________________________.
 |      type       |      code       |             checksum              |
 |_____08h=  8_____|_____00h=  0_____|____________AA90h=43664____________|
 A1 02 00 00  7B D7 E1 3A  61 57 03 00  08 09 0A 0B     # ....{..:aW......
 0C 0D 0E 0F  10 11 12 13  14 15 16 17  18 19 1A 1B     # ................
 1C 1D 1E 1F  20 21 22 23  24 25 26 27  28 29 2A 2B     # ...~ !"#$%&'()*+
 2C 2D 2E 2F  30 31 32 33  34 35 36 37                  # ,-./01234567
</pre>

<BR>

Various displaying methods can be selected (use netwag to learn which
values can be put in parameter --hdrencode or --dataencode).

<BR><H1>How to simulate a testing computer ?</H1>
When computer A wants to reach computer B :
<UL>
	<LI>computer A sends an ARP request to
	every computer on the LAN (it ask &quot;what's the Ethernet address
	of B&quot;)
	<LI>computer B sees this request and
	answer saying &quot;the Ethernet address of B is aa:bb:cc:dd:ee:ff&quot;
	<LI>now computer A knows the Ethernet
	address of B, and can send IP packets to B
</UL>
<BR>

So, when we simulate a computer, we have to answer
to ARP requests, in order to inform other computers.
For example, to simulate the presence of
192.168.10.2, and saying its Ethernet address is 12:34:56:78:90:ab,
we can use :
<pre>
# netwox 73 -i 192.168.10.2 -e 12:34:56:78:90:ab
</pre>
<BR>

<H1>First example</H1>
In this example, we want to verify that :
<UL>
	<LI>the sender 192.168.10.1 can go
	through
	<LI>the router (192.168.10.254 and
	192.168.11.254) to reach
	<LI>the tcp port 80 of 192.168.11.3
</UL>
Both 192.168.10.1 and 192.168.11.3 are &quot;real&quot;
computers (we do not have to simulate them)
<BR><BR>

So, the testing procedure is :
<UL>
	<LI>on 192.168.11.3 : sniff with (use a sniff filter to restrict display)
	&quot;netwox 7 -f "host 192.168.10.1"&quot;
	<LI>on 192.168.10.1 : send a SYN with
	&quot;netwox 40 -l 192.168.10.1 -m 192.168.11.3 -p 80 -C&quot;
	<LI>on 192.168.11.3 : we should see
	the packet
</UL>
<BR><H1>Second example</H1>
In this example, we want to verify that :
<UL>
	<LI>the sender 192.168.10.1 can go
	through
	<LI>the router (192.168.10.254 and
	192.168.11.254) to reach
	<LI>the tcp port 80 of 192.168.11.4
</UL>
The computer 192.168.10.1 is &quot;real&quot; and
192.168.11.4 is simulated with Ethernet address 12:34:12:34:12:34.
So, the testing procedure is :
<UL>
	<LI>on 192.168.11.3 : sniff with
	&quot;netwox 7 -f "host 192.168.10.1"&quot;
	<LI>on 192.168.11.3 : simulate
	192.168.11.4 with &quot;netwox 73 -i 192.168.11.4 -e 12:34:12:34:12:34&quot;
	<LI>on 192.168.10.1 : send a SYN with
	&quot;netwox 40 -l 192.168.10.1 -m 192.168.11.4 -p 80 -C&quot;
	<LI>on 192.168.11.3 : we should see
	the packet for 192.168.11.4
</UL>
<BR><H1>Third example</H1>
In this example, we want to verify that :
<UL>
	<LI>the sender 192.168.10.2 can go
	through
	<LI>the router (192.168.10.254 and
	192.168.11.254) to reach
	<LI>the tcp port 80 of 192.168.11.3
</UL>
The computer 192.168.10.2 is simulated with Ethernet
address 12:34:12:34:12:34. The computer 192.168.11.3 is real.
So, the testing procedure is :
<UL>
	<LI>on 192.168.10.1 : obtain the
	Ethernet address of 192.168.10.254 with &quot;netwox 3
	192.168.10.254&quot; (for example, we obtain aa:aa:aa:aa:aa:aa)
	<LI>on 192.168.11.3 : sniff with
	&quot;netwox 7&quot;
	<LI>on 192.168.10.1 : send a SYN with
	&quot;netwox 36 -d "Eth0" -a "12:34:12:34:12:34" -b "aa:aa:aa:aa:aa:aa"
        -l "192.168.10.2" -m "192.168.11.3" -p "80" -C&quot;
	<LI>on 192.168.11.3 : we should see
	the packet
</UL>
<BR><H1>Other examples</H1>
Several other examples could be written using the same methods.
This is left as an exercise for the reader.
<BR><H1>Conclusion</H1>
Validating the configuration of a router is a long
task, mainly if we want to verify the security of the device. The
knowledge of key points, and the usage of generic tools can however
simplify administrators' job. This paper only described the tests
which can be done. Using these tests and they knowledge,
administrators can elaborate their own method to configure or secure
a router or a firewall.
<BR><BR>


</BODY>
</HTML>

